Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued a position paper where it states that, in its opinion:
- Given the mass surveillance conducted by U.S. intelligence agencies, data subjects may not be able to provide effective informed consent to the transfer of their data to the U.S., which means that such a legal basis may not be able to be used to legally transfer personal data from Europe to the U.S.;
- Model contractual clauses are not a reliable a tool to transfer personal data from Europe to the U.S. and data exporters should consider suspending such transfers under the model contracts. To reach this conclusion, the German DPA relied on the fact that the clauses require the data importer to represent that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter. However, the German DPA agency reasoned, U.S. data importers are not in a position to give such a representation.
Following such reasoning could deduce that, some narrow exceptions aside, Binding Corporate Rules are the only way to provide for adequate protection for a transfer of personal data from the EU to the U.S.
Indeed, according to EU Directive of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, except for certain derogations itemized in the directive, personal data cannot be transferred outside the EU to a country which does not offer an adequate level of protection (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046). According to the EU Commission, the U.S., not being a country whose laws offer an adequate level of protection for personal data, the Safe Harbor program had been negotiated in 2000 between the U.S. authorities and the EU Commission to enable U.S. companies to legally import personal data from the EU. For various reasons explained in our previous blog (http://privacylaw.proskauer.com/2015/10/articles/european-union/us-eu-safe-harbor-invalidated-what-now/), the CJEU has invalidated the Safe Harbor program.
However, before drawing hasty conclusions on the position taken by the DPA of the German state of Schleswig-Holstein (only one of the German DPAs), it is noteworthy that such a conservative position is for the moment isolated and that such DPA is known to be very strict in the protection of personal data.